---
# Configuration for the pagure webapp

- name: install needed packages
  package: name={{ item }} state=present
  with_items:
  - pagure
  - pagure-ci
  - pagure-ev
  - pagure-loadjson
  - pagure-logcom
  - pagure-milters
  - pagure-webhook
  - python-psycopg2
  - python2-pygments2
  - redis
  - libsemanage-python
  - mod_ssl
  - stunnel
  # Use haveged to ensure the server keeps some entropy
  - haveged
  # make sure python2-openidc-client is installed
  - python2-openidc-client
  tags:
  - pagure
  - packages

- name: Initialize postgres if necessary
  command: /usr/bin/postgresql-setup initdb
           creates=/var/lib/pgsql/data
  notify:
  - restart postgresql
  tags:
  - pagure

- name: Put in robots.txt
  copy: src=robots.txt dest=/var/www/html/robots.txt
  tags:
  - pagure


# Set-up gitolite

- name: install needed packages
  package: name=gitolite3 state=present
  tags:
  - pagure
  - gitolite
  - packages

- name: Rename the user gitolite into git
  command: usermod --move-home --login git --home /srv/git/ gitolite3
           creates=/srv/git/
  tags:
  - gitolite
  - pagure

- name: Rename the group gitolite into git
  command: groupmod --new-name git gitolite3
           creates=/srv/git/.gitolite/conf
  tags:
  - gitolite
  - pagure

- name: create the /srv/git/.gitolite/conf folder
  file: state=directory
               path=/srv/git/.gitolite/conf
               owner=git group=git mode=0775
  tags:
  - gitolite
  - pagure

- name: create the /srv/git/.gitolite/keydir folder
  file: state=directory
               path=/srv/git/.gitolite/keydir
               owner=git group=git mode=0775
  tags:
  - gitolite
  - pagure

- name: create the /srv/git/.gitolite/logs folder
  file: state=directory
               path=/srv/git/.gitolite/logs
               owner=git group=git mode=0775
  tags:
  - gitolite
  - pagure

- name: create the /attachments folder
  file: state=directory
         path=/srv/attachments
         owner=git group=git mode=0775
  tags:
  - pagure

- name: Adjust owner of /srv/git
  file: name=/srv/git state=directory recurse=yes owner=git group=git
  tags:
  - gitolite

- name: Adjust permissions of /srv/git/.gitolite
  file: name=/srv/git/.gitolite state=directory recurse=yes owner=git group=git
  tags:
  - gitolite

- name: install our own gitolite configuration
  template: src=gitolite.rc
            dest=/srv/git/.gitolite.rc
            owner=git group=git mode=0755
  tags:
  - gitolite
  - pagure

- name: create all the directories where we store the git repos
  file: state=directory
               path={{ item }}
               owner=git group=git mode=0775
  with_items:
  - /srv/git/repositories/
  - /srv/git/repositories/forks
  - /srv/git/repositories/docs
  - /srv/git/repositories/tickets
  - /srv/git/repositories/requests
  - /srv/git/remotes
  tags:
  - gitolite
  - pagure

- name: create the /srv/tmp folder where to clone repos
  file: state=directory
               path=/srv/tmp
               owner=git group=git mode=0775
  tags:
  - gitolite
  - pagure


# Set-up postfix and the milter for postfix

- name: Add the /etc/aliases file
  copy: src=aliases dest=/etc/aliases owner=root mode=644
  tags:
  - config
  - pagure
  - postfix
  notify:
  - restart postfix
  - restart pagure_milter

# Override pagure_ev systemd service file

- name: install pagure_ev service definition
  copy: src=pagure_ev.service
        dest=/usr/lib/systemd/system/pagure_ev.service
        owner=root group=root mode=0644
  notify:
  - reload systemd
  - restart pagure_ev
  tags:
  - pagure
  - pagure_ev

# Set-up stunnel for the event source server

- name: install stunnel service definition
  copy: src=stunnel.service
        dest=/usr/lib/systemd/system/stunnel.service
        owner=root group=root mode=0644
  notify:
  - reload systemd
  - restart stunnel
  tags:
  - pagure
  - stunnel

- name: ensure old stunnel init file is gone
  file: dest=/etc/init.d/stunnel/stunnel.init state=absent
  tags:
  - pagure
  - stunnel
  - config

- name: install stunnel.conf
  template: src={{ item.file }}
            dest={{ item.dest }}
            owner=root group=root mode=0600
  with_items:
  - { file: stunnel-conf.j2, dest: /etc/stunnel/stunnel.conf }
  notify: restart stunnel
  tags:
  - pagure
  - stunnel
  - config

- name: Add the different service files for the different workers
  copy: src={{ item }}.service
        dest=/etc/systemd/system/{{ item }}.service
        owner=root group=root mode=0755
  with_items:
  - pagure_fast_worker
  - pagure_medium_worker
  - pagure_slow_worker
  notify:
  - reload systemd
  tags:
  - pagure


# Set-up Pagure

- name: create the /var/www/releases folder
  file: state=directory
               path=/var/www/releases
               owner=git group=git mode=0775
  tags:
  - pagure
  - web

- name: copy sundry pagure configuration
  template: src={{ item.file }}
            dest={{ item.location }}/{{ item.file }}
            owner=git group=postfix mode=0640
  with_items:
  - { file: pagure.cfg, location: /etc/pagure }
  - { file: alembic.ini, location: /etc/pagure }
  changed_when: "1 != 1"
  tags:
  - config
  - web
  - pagure
  notify:
  - restart apache

- name: create pagure database
  delegate_to: "{{ new_pagure_db_command_host }}"
  become: true
  become_user: postgres
  postgresql_db: db={{ new_pagure_db_name }}
  tags:
  - web
  - pagure

- name: ensure pagure db user has access to database
  delegate_to: "{{ new_pagure_db_command_host }}"
  become: true
  become_user: postgres
  postgresql_user: db={{ new_pagure_db_name }} user={{ new_pagure_db_user }} password={{ new_pagure_db_pass }} role_attr_flags=NOSUPERUSER
  tags:
  - web
  - pagure

- name: create the database scheme
  command: /usr/bin/python2 /usr/share/pagure/pagure_createdb.py
  changed_when: "1 != 1"
  environment:
      PAGURE_CONFIG: /etc/pagure/pagure.cfg
  tags:
  - web
  - pagure

- name: Install the configuration file to activate https
  template: src={{ item }} dest=/etc/httpd/conf.d/{{ item }}
            owner=root group=root mode=0644
  with_items:
  - 0_pagure.conf
  tags:
  - files
  - config
  - pagure
  notify:
  - restart apache

- name: Install the wsgi file
  template: src={{ item }}
            dest=/var/www/{{ item }}
            owner=git group=git mode=0644
  with_items:
  - pagure.wsgi
  - docs_pagure.wsgi
  tags:
  - config
  - web
  - pagure
  notify:
  - restart apache

- name: Add default facl so apache can read git repos
  acl: default=yes etype=user entity=apache permissions="rx" name=/srv/git state=present
  register: acl_updates
  tags:
  - pagure

- name: Manually fix current default ACLs since Ansible doesnt know recursive acls
  when: acl_updates.changed
  command: /usr/bin/setfacl -Rdm user:apache:rx /srv/git
  tags:
  - pagure

- name: Manually fix current ACLs since Ansible doesnt know recursive acls
  when: acl_updates.changed
  command: /usr/bin/setfacl -Rm user:apache:rx /srv/git
  tags:
  - pagure

- name: check the selinux context of the git repo directory
  command: matchpathcon /srv/git
  register: distgitcontext
  check_mode: no
  changed_when: false
  tags:
  - config
  - pagure
  - selinux

- name: set the SELinux policy for the distgit root directory
  command: semanage fcontext -a -t gitosis_var_lib_t "/srv/git(/.*)?"
  when: distgitcontext.stdout.find('gitosis_var_lib_t') == -1
  tags:
  - config
  - pagure
  - selinux

- name: check the selinux context of the releases directory
  command: matchpathcon /var/www/releases
  register: distgitcontext
  check_mode: no
  changed_when: false
  tags:
  - config
  - pagure
  - selinux

# Note: On Fedora its httpd_sys_content_rw_t - Don't we love confusions?
- name: set the SELinux policy for the releases directory
  command: semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/releases(/.*)?"
  when: distgitcontext.stdout.find('httpd_sys_rw_content_t') == -1
  tags:
  - config
  - pagure
  - selinux

- name: copy over our custom selinux module
  copy: src=selinux/pagure.pp dest=/usr/local/share/pagure.pp
  register: selinux_module
  tags:
  - pagure

- name: install our custom selinux module
  command: semodule -i /usr/local/share/pagure.pp
  when: selinux_module is changed
  tags:
  - pagure

- name: set sebooleans so pagure can talk to the network (db + redis)
  seboolean: name=httpd_can_network_connect
                    state=true
                    persistent=true
  tags:
  - selinux
  - web
  - pagure

- name: set sebooleans so apache can send emails
  seboolean: name=httpd_can_sendmail
                    state=true
                    persistent=true
  tags:
  - selinux
  - web
  - pagure

############################################################
# Setup the custom theme for the upstreamfirst instance
############################################################
- name: create the upstreamfirst theme dir
  file: state=directory
      path=/var/www/upstreamfirst-paguretheme/templates
               owner=apache group=apache mode=0775
  tags:
  - web
  - pagure

- name: copy over custom master.html template
  copy: src=upstreamfirst-master.html dest=/var/www/upstreamfirst-paguretheme/templates/master.html
  tags:
  - pagure

# Ensure all the services are up and running

- name: Start and enable httpd, postfix, pagure_milter
  service: name={{ item }} enabled=yes state=started
  with_items:
  - httpd
  - postfix
  - stunnel
  - redis
  - pagure_ev
  - pagure_ci
  - pagure_loadjson
  - pagure_logcom
  - pagure_milter
  - pagure_webhook
  - pagure_worker
  - pagure_gitolite_worker
  - pagure_fast_worker
  - pagure_medium_worker
  - pagure_slow_worker
  - haveged
  ignore_errors: true
  tags:
  - pagure
  - service
  - postfix
